After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 704636 - Segfault in xlsx_write_pivot_val on saving a corrupted (fuzzed) xlsx file
Segfault in xlsx_write_pivot_val on saving a corrupted (fuzzed) xlsx file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-07-21 09:37 UTC by jutaky
Modified: 2013-07-21 22:55 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description jutaky 2013-07-21 09:37:25 UTC
Segfault in xlsx_write_pivot_val on saving a corrupted (fuzzed) xlsx file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_25395_18.xlsx

Backtrace from "ssconvert gnumeric_case_25395_18.xlsx out.xlsx":

Program received signal SIGSEGV, Segmentation fault.
0x00007fffe6d4a4ac in xlsx_write_pivot_val (state=0x7fffffffe220, xml=0xa62b90, v=0x0) at xlsx-write-pivot.c:39
39		switch (v->type) {
(gdb) bt
  • #0 xlsx_write_pivot_val
    at xlsx-write-pivot.c line 39
  • #1 xlsx_write_pivot_cache_records
    at xlsx-write-pivot.c line 120
  • #2 xlsx_write_pivot_cache_definition
    at xlsx-write-pivot.c line 265
  • #3 xlsx_write_pivots
    at xlsx-write-pivot.c line 330
  • #4 xlsx_write_workbook
    at xlsx-write.c line 2487
  • #5 xlsx2_file_save
    at xlsx-write.c line 2618
  • #6 go_plugin_loader_module_func_file_save
    at app/go-plugin-loader-module.c line 366
  • #7 go_plugin_file_saver_save
    at app/go-plugin-service.c line 948
  • #8 go_file_saver_save
    at app/file.c line 848
  • #9 wbv_save_to_output
    at workbook-view.c line 1050
  • #10 wb_view_save_to_uri
    at workbook-view.c line 1087
  • #11 wb_view_save_as
    at workbook-view.c line 1123
  • #12 convert
    at ssconvert.c line 788
  • #13 main
    at ssconvert.c line 855

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Andreas J. Guelzow 2013-07-21 19:27:08 UTC
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.
Comment 2 Morten Welinder 2013-07-21 22:40:08 UTC
Andreas, that fix is in the export (which is where the crash occurred).
Is the state correct at that point or do we need a word with the importer
too?
Comment 3 Andreas J. Guelzow 2013-07-21 22:55:25 UTC
I have no idea what the pivot table code inside Gnumeric works, or in fact what it currently does.

In the exporter we already checked for null values that are part of an array, so I would guess that in general Null values may be acceptable.

Also in xls-write-pivot.c we have an equivalent test:

static void
xls_write_pivot_cache_value (ExcelWriteState *ewb, GOVal const *v)
{
	if (NULL != v) {
		switch (v->type) {